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1, INTRODUCTION 

Hash functions are one-way functions used for mapping variable input size and produce fixed length 
output digest. It is a powerful algorithm to verify data integrity over peers. There are many hash functions, 
such as MD5[1], SHA1[2] and Double-A[3]. Many hash functions acted as a random oracle for a time being. 
However, the revolution of computer processors enhanced the attacks on such algorithms. The concerns of 
hash function security are its resistance to the basic security criteria; preimage, second preimage, collision 
and length extensions. 

Attackers try to create a scenario to break one of the security criteria by compromising and the 
analyzing hash states. Thus, designers’ goal is building high confusing and defusing to create what so called 
random oracle. 

The basic security criteria of hashes is its resistance to preimage, second-preimage, collision and 
recently length extensions. 

Titanium is a new constructed sponge hash function that uses 512bit SF block cipher[4]. SF is a 
block cipher that takes 512 plaintext input, 512bit key and applies four operations on the input to produce 
512bit output ciphertext. Titanium takes variable length input and produces fixed output digest 512bit. 


2. RESEARCH METHODOLOGY 
2.1 Sponge Function Overview 

Sponge is one of the hash function construction. There are some constructions used for building 
hash function algorithem such as, Merkle—Damgard construction. It has issues with the digest length as its 
security 1s depending on that length. Sponge construction has been introduced by Keccak team[5-6]. It aims 
to split the security level of the algorithm from the digest length. Sponge construction has three main phases; 
Absorbing phase, Squeezing phase and the truncation phase. 
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2.2 Inner State 

Message input goes through several iterated operations inside the blender. Each operation produces 
different output forming in S-box. Each S-box is a state which contains the binary pattern of the algorithm 
result. The states in the middle of the blender operations called inner states. It is the intermediate chaining 
values that is formed from the last operation performed on the pattern. 


P=M||P+1+ Zeros + Mx (1) 


Length padding rule has been implemented on Titanium. Adding prefixes or suffixes to the message 
will not create collisions with length padding. Assuming message length for two messages are same, then the 
binary pattern will be different. Adding bits to the input will affect the message binary and padding bits. 
Then, different input. 


Message Padding 





Figure 1. Sponge construction 


2.4 Absorbing Phase 
r-bit message blocks are inserted to the blender by XORing it with the first r-bits of the 
state[Figure ] ]. 


2.5 Cipher 
F cipher [1] 1s processing over four operations; sub-byte, Convert row, shifting and add round key. 


Sub-Byte. 

Data elements is sub-byted over 576bit S-boxes. Sub byte operation properties remove the linear 
characteristics. Therefore, linear cryptanalysis is not applicable on Titanium S-boxes. Moreover, it increases 
the diffusion and confusion so, studying the linearity effectiveness of differentials 1s out of complexity scope 
and does not create an advantage to the attacker. 


Convert Row Round. 

In this stage, Titanium data element is blended with each other’s, preparing it to the next stage. After sub- 
byte round, convert row round blends the bits, increasing diffusion and confusion such that keeping the 
properties of small differences in input is obscure. 


2.6 Cryptanalysis 
Preimage. 

Hash functions should be one-way property such that knowing the original message from the digest 
is not possible with complexity lower than 2°. There are many ways to break this property such as giving 
prefixes to the message or going backwards through intermediate chaining values reaching to the mother 
state then the original message or even with brute force attack. Preimage is to obtain the original state from a 
given digest[Figure2]. 

Titanium sponge hash function has 1024-bit capacity and bitrate of 576bit. Since the capacity is the 
security parameter for sponge construction and its security is split from the digest length [5], the minimum 
complexity for Titanium against preimage attack is 2” 
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Collisions. 

Collision is to find different input that leads to the same digest [7]. Collision resistance itself is a 
general criterion, so there are many ways that attackers use to obtain collisions in the hash function such as 
finding collisions in intermediate chaining values by applying different scenarios to establish the attacks. The 
minimum complexity required for random oracle is 2°. Attackers can break the complexity to half by using 
birthday theory in probability science[Figure3]. In simple, it could be by surrounding all probability statics 
for the digest. For instance, a classroom with twelve students. One student should share the same birthday 
with a colleague. By some probability calculations, the complexity might be broken to the half. 


Second Preimage. 
Second preimage is the advances of collision attack. It is to find the second message from a given digest 
and known first message with its hash value[Figure4] [7]. 


H (Mo) — 0a5d1f18c84b0c145f588a6012 1da7 
H (M,) — 0a5d1f18c84b0c145f588a60121da7 





Attackers try to find M; 


Figure 2. Second Preimage 


Length extension. 

Length extension is one of the security criteria for hash functions. Hash functions can be used as 
Message Authentication Codes. H(SecretlIMessage). Therefore, any weakness in the hash structure will threat 
the MAC and affect the server files validation [9]. 

In this case, server calculates the message digest and determines if it is a valid request or not. 
Theoretically, attackers may forge modified request without knowing the secret that the server uses by 
appending some data to the message and server still sees it as a valid request (2). 

h(M||P||M*||P°) (2) 

Since length extension attacks depend on finding collisions in the internal state, Titanium iterates on 
24 times and each operation updates the whole state. Furthermore, changing one bit will change at least half 
of the state bites and the attacker does not know which part has been truncated. 


2.7 Advanced Security analysis 

The basic security criteria for hash functions are preimage, second preimage, collision and length 
extension (Used with MACs). The basic security claims for all of criteria should be at least 2°. Attackers 
create a scenario to break one or more of those criteria or reduce the complexity of algorithm, whether it is a 
theoretical or a practical way. 


Multi-collision attack. 

Cascading hashes appeared in the PhD thesis of B. Preneel [9]. It is to build a concreted hash digest 
from two independent hash algorithms. It increases the security level with affecting the total cost of 
implementation (3). 


(h1(Message0)||h2(Message1)) (3) 


Joux [11] proved that cascading hashes does not make difference. The complexity of it remains as if 
it is only one hash algorithm. Joux [11] found collisions with message’s blocks by exhausted search using 
pre-computed data structure to compare all message’s pairs to obtain four collisions (Collision finding 
machine) such that giving initial value that will produces two blocks of the message (4) [Figure5]. 


f (initial Value, Block0) = f Unitial Value, B0*) (4) 
The attack is based on finding collisions at intermediate chaining values between the internal states 


of the message pairs. Titanium has a capacity of 1024bit and updates each state after each operation. 
Considering birthday theory, the complexity of Titanium against remains 2°. 
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Figure 3. Multi-Collision attack 


Herding Attack. 

Herding hashes is the advances of Multi-collision attack by using brute-force to create a tree of 
data[12]. Its idea is to create an array of data structure which is a pre-computed tree for intermediate values 
by using brute-force. Then, run exhaustive search for internal states that collide with one or more data 
structure values. After the collision, adding short prefixes to the string is possible with approved validation. 

Titanium follows sponge construction and uses SF cipher. The digest is truncated and the truncated 
part is unknown to the attacker. Furthermore, initial value is same for all inputs. Changes in inputs affect first 
state then the whole inner states. 

By using brute-force, the complexity of Titanium remains at minimum 2° with the consideration of 
birthday theory. 


2.8 Distinguishers: 

Distinguishers is used widely to break security algorithms as it has many techniques to use. It is the 
study of the relationship between inputs, keys and the outputs to disclose full of the key or part of it. 
Distinguishers’ cryptanalysis aims to break one or more of the hash function security criteria (Preimage — 
Second preimage — Collision — length extension) through particular cryptanalysis, such as differential 
cryptanalysis. 


Differentials cryptanalysis. 

Differentials is the study of the relationship between inputs and outputs. It is aiming to trace the 
function and where it does a particular behavior such that exploiting that vulnerability and disclose the key or 
part of the key [14]. It is based on known plaintext-ciphertext cryptanalysis which is a pair of messages that 
has a particular statistical properties. Attackers apply their differential attacks using different scenarios and 
techniques such as, slide attack, rotational and truncated differentials. Generally, for Titanium, the total cost 
of generating pair of messages that has that particular statistical properties is 2”. 


Slide Attack. 

Slide attack is known plaintext chiphertext attack. However, it does not use brute force attack to 
generate the pairs. It depends on what so called, slid pairs. The given variables for the attacker is the message 
(Po), chiphertext (Co) of the Pp and the assumed message (P,). Attacker pretends that P; equals R; of P; then 
f, of po should equal Ry of P;. After that, attacker make some analysis to disclose the key used between f, and 
C,. If attacker got the corresponding key, applying the same key with Po and the key will produce f). If f, 
equals P,, then the pair is a good pair and considered as slid pair as shown below[Figure6] [12]. 

Slide attack is efficient with algorithm that uses one key for all rounds and the output of all rounds is 
known for the attacker. However, Titanium updates its state each round and its states do not present any 
biases to each other. Using XORing between states makes the states take the diffusion and the confusion 
properties. Furthermore, the output of Titanium is truncated and the attacker does not know which part has 
been truncated from the digest. Using brute force attack, the complexity of generating slid pair will depends 
totally on known plaintext attack which requires 2”° possibilities. By considering birthday theory to establish 
the attack, the complexity of generating slid pair remains 2°. 
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Figure 4. Slide cryptanalysis 


Rotational cryptanalysis 

It is the analysis that relies on ARX [Modular addition, Rotation and XOR]. Rotations can be 
obtained by rotating the corresponding word. Rotational cryptanalysis can be established if the bits are 
friendly to rotate property. However, Titanium does not follow ARX and uses constant in its operation. IVs 
are same for all messages and capacity remains with a fixed value (zero) [15]. 


Truncated differential cryptanalysis 

It is the cryptanalysis on the differences in inputs and outputs to discover the key or part of it. 
Truncated differentials relies on known plaintext ciphertext attack. It studies the behavior of the function and 
tracing it to the stage that the function makes a different behavior hoping to find statistical patterns in Sboxes 
distribution. Attacker should obtain plaintext and the corresponding ciphertext. Once the attacker gets the 
statistical property, then pairs called differentials [16]. 

Titanium has a constant value (C, IV) for all messages and finding the required pairs needs 2*° 
possibilities. Assuming that the attacker is able to find the pairs with less work (<2°), the digest is truncated 
and attacker does not know which part has been truncated. 


Square attack 

Square or integral attack is a differential attack based on known plaintext ciphertext attack [17]. It 
was first applied on block ciphers. However, the technique here is to find the corresponding differences in the 
block rather than several bits. It exploits the property of one-way S-box. Its pairs should have constants in the 
pairs’ blocks plus variables and then attack could be established with those studied variables and considered 
as integral pairs. 

Titanium has a capacity of 1024bit and never affect the output. Bitrate values of Titanium are 
changing after each operation and round. Furthermore, the digest is truncated and the full digest is obscure. 


Linear cryptanlysis 

Linear cryptanalysis is efficient with algorithm that uses ARX [Add — Rotate — XOR]. In this attack, 
attacker tries to obtain known plaintext ciphertext pairs with linearity proportion of ’% by some XORs 
operation and statistical studies. It depends on the zeros and ones distribution in the state[Figure7] [18]. 
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Titanium has a capacity of 1024bit which forces attacker to generate 2”° pairs by using brute force 
attack. Moreover, S-boxes used in Titanium are non-linearity property. Assuming the attacker succeeds in 
applying the linear on Sboxes somehow, the total cost of establishing the attack is 2”. 


I=(h.b, In) 
O =(01, O2, On) 


11 13 la DB Or BD Og DY O5= 0 
Figure 5. Linear pairs 


3. DISCUSSIONS 
Table 1 is a discussion for Titanium on any desired digest length with different attacks and security 
criteria. The complexities are the required cost to establish the attack using brute force attack technique. 


Table 1. Discussions 
Function Collision Prei-mage S-preimage Distinguishers 
Titanium-256 9256 
R.Sponge-256 
Titanium-512 


12 12 12 
» - pe 


pate A a 71024 O haas 
R.Sponge-5 12 
Titanium-n an 92 920 92 
R.sponge-n 


4. CONCLUSION 

Titanium hash function has been analyzed. It shows a resistance of 22c against the studied attacks. 
Its construction and cipher fortified the algorithm by surrounding it with high diffusion and confusion with 
taking its performance of the algorithm in the consideration. Using bigger capacity increases hash 
complexities. However, bigger capacity means higher executive costs on modern CPUs. 1024bit capacity is a 
reasonable size. The security claims of it fulfill random sponge claims which is the ideal hash function. 
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